I fought the OSCP and won!

I fought the OSCP and won!

Introduction

Since I have been making the leap into the commercial sector of InfoSec, I knew that moving from the public sector into commercial would be quite a leap in technical challenge and excitement.  To give myself a broad knowledge base and credibility in the industry, I decided to sign up for the Offensive Security Certified Professional certification.  This post will quickly gloss over my background and prior experience before covering some tips that I found useful, as well as a collection of decent starter links.  Most of these links are well used but a couple I found buried in the darkest corners of the internet.

Background

I have been in IT in a variety of roles since I was 16.  I started off breaking my household computer and needed to fix it before my Mum found out.  I left school and began working in a variety of desktop support jobs before moving to an MSP.  I’d say I have pretty solid sysadmin skills, centred around Windows Server and Active Directory.  I’ve always had an active interest in information security and upon leaving the public sector I decided to expand my knowledge and skills.

Preparation

I started on VulnHub.com and began following walkthroughs, until I didn’t need them as much.  A list of some useful pre-OSCP VMs is at the bottom of the article.  I undertook the Cyber Scheme Team Member (UK specific) exam and carried on cracking through VulnHubs.  I also made sure I had a solid understanding of LAN technologies and the theory of information security by quickly taking Network+ / Security+.  You probably won’t need to take these if you are already in commercial IT.

OSCP Course / Learning Styles

I really struggled with the course.  I found that the PDF (whilst excellent) only scratched 10% of the required knowledge and there was very limited ‘recommended reading’ that was hinted at.  However, this is made very clear to you before you start.  The videos and PDFs make a decent foundation but you need to dedicate a huge amount of time to independent research and trial-error.

Many times I would be trying to exploit a SQLi vulnerability for three evenings and be missing a semi-colon in my syntax somewhere.  I found the ‘try harder’ attitude of the admins quite frustrating and I haven’t quite got the rose-tinted glasses of ‘it was for my own good’ just yet.  The forums are full of people who just need a tiny hint in a direction but are left hanging.  My personal opinion is that if they can see you have nailed the what they are trying to show you on the specific box and just need a tiny nudge in syntax they should be more helpful.  This is especially relevant if you are self funding your lab time and have a full time job too!  However, this is all personal preference and the system must work as I passed!

OSCP really tries to blend learning styles together which is admirable – audio, visual and kinaesthetic learners will get something out of reading the PDF, watching the video and completing course exercises.  The problem may develop where you are thrown into the labs, so much of the learning is focused on ‘doing’ that if you don’t learn this way then you will really struggle.  The course does try to mitigate this by teaching certain techniques in the PDF and videos, then introducing things in the labs that will require you to go one stage further (eg gcc not having certain libraries in the right location, or different shells being installed) and really understand the exploit.

I won’t labour this too much as the internet is full of people’s musings on the syllabus.  The course isn’t really designed to teach you pentesting techniques, more of a methodology.  It would be impossible to cover the breadth of techniques required to attack modern infrastructures.  If your desired endstate is ‘see a server configured like XYZ, fire up technique ABC’ then you are in for a bad time.  If you are looking to see walkthroughs or more real-world POC exploits rather than the very vanilla ExploitDB ones then you won’t find them.

It is about teaching you to enumerate and gather as much information as possible about your target.  Very rarely will there be vulnerabilities that are ‘one click root’ and even exploits that looks to be quick wins will require tweaking slightly to fit the environment.

Book your exam as soon as you start the course, it will help you focus by having a deadline and the decent start times / weekends book up FAST.

OSCP Exam

I failed hard my first time – I couldn’t get initial footholds particular on web related things.  I got back in the labs and tried harder!  Passed with 4 root and 1 low priv on my 2nd attempt.

Rules on bonus points have changed slightly – make sure you check the page before your exam!  You have time to eat and sleep!

Here is the OffSec guide: https://support.offensive-security.com/#!oscp-exam-guide.md

Note Taking

Start decent note taking NOW.  I rooted a few early boxes with poor notes and basically had to re-do all the work when I saw that they were needed for pivoting onto other networks or to gain client side access.

This isn’t the ideal technique, but it worked for me.  Especially useful is the ‘Quick Summary’ which you describe the steps needed to gain access.  These are written for you only and are designed to give you a quick prod should you need to get back on a machine (or someone reverts it halfway through!)

 

No one enjoys documentation (we just want that sweet, sweet r00t) but if you are being employed to deliver value to a client then handing them the Domain Admin password on a post it isn’t good enough – your report needs to help them remediate their vulnerabilities.  That’s why you work for a consultancy!

Bookmarks

I collected these from across the web before I started and collated them into categories.  None of these are tricks to get into the boxes, just aimed at syntax reminders and getting ‘how do I do that again’ information quickly.

I would say these bookmarks covered 3-5% of my Googling!

  • https://workflowy.com/s/FgBl.6qcAQUUqWM#
  • http://garage4hackers.com/showthread.php?t=6902
  • https://support.rackspace.com/how-to/capturing-packets-with-tcpdump/
  • http://www.fuzzysecurity.com/tutorials/16.html
  • https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
  • https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/
  • http://insidetrust.blogspot.co.uk/2011/08/using-hydra-to-dictionary-attack-web.html
  • http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13788-3.html#anc5
  • http://www.bluesock.org/~willg/dev/ascii.html
  • https://www.w3schools.com/tags/ref_urlencode.asp
  • http://foofus.net/goons/jmk/medusa/medusa.html
  • Also check out the manual for Mona.py

Tools

The tools you are introduced to in the course are pretty good however a few I picked up on my travels are:

  • SQSH / TSQL
  • Zed Attack Proxy
  • Impacket
  • Odat
  • accesschk
  • SysInternals Suite
  • I’m not going to say how or why to use these (and there are plenty more) but half the battle is enumerating a host, working out what you need to do, then finding a tool that will allow you to achieve it

VMs

All available on Vulnhub or similar.

  • Kioptrix (all versions)
  • Necromancer
  • Mr-Robot
  • Stapler
  • LordoftheRoot
  • The age-old Metasploitable 2 and 3.  Version 2 is good for teaching Web related techniques..

Conclusion

I am fiercely proud of my OSCP certification, it represents a solid 3 month period of my life where I made lots of sacrifices to gain it.  It isn’t cheap and but the toughness of it makes it well respected.  I feel my knowledge and abilities have increased significantly.  I especially enjoyed how new exploits were built into the lab machines quickly by the OffSec team.  It is almost becoming an entry level certification given the number of people posting on the forums / IRC.  It is quite easy to see the OS-IDs incrementing quickly however we have no idea of how many of them go on to pass or fall by the wayside.

 

Comments are closed.